Recovering the Password

For most IPS platforms, you can now recover the password on the sensor rather than using the service account or reimaging the sensor. This section describes how to recover the password for the various IPS platforms. It contains the following topics:

Understanding Password Recovery

Password recovery implementations vary according to IPS platform requirements. Password recovery is implemented only for the cisco administrative account and is enabled by default. The IPS administrator can then recover user passwords for other accounts using the CLI. The cisco user password reverts to cisco and must be changed after the next login.

Note Administrators may need to disable the password recovery feature for security reasons.

Recovering the Appliance Password

Using the GRUB Menu

Note You must have a terminal server or direct serial connection to the appliance to use the GRUB menu to recover the password.

For 4200 series appliances, the password recovery is found in the GRUB menu, which appears during bootup. When the GRUB menu appears, press any key to pause the boot process.

To recover the password on appliances, follow these steps:

Step 1 Reboot the appliance to see the GRUB menu.

GNU GRUB version 0.94 (632K lower / 523264K upper memory)

-------------------------------------------

0: Cisco IPS

1: Cisco IPS Recovery

2: Cisco IPS Clear Password (cisco)

-------------------------------------------

Use the ^ and v keys to select which entry is highlighted.

Press enter to boot the selected OS, 'e' to edit the

Commands before booting, or 'c' for a command-line.

Highlighted entry is 0:

Step 2 Press any key to pause the boot process.

Step 3 Choose 2: Cisco IPS Clear Password (cisco).

The password is reset to cisco. You can change the password the next time you log in to the CLI.

Using ROMMON

For IPS 4240 and IPS 4255 you can use the ROMMON to recover the password. To access the ROMMON CLI, reboot the sensor from a terminal server or direct connection and interrupt the boot process.

Note After recovering the password, you must reset the confreg to 0, otherwise, when you try to upgrade the sensor, the upgrade fails because when the sensor reboots, it goes to password recovery (confreg 0x7) rather than to the upgrade option.

Recovering the AIM IPS Password

To recover the password for the AIM IPS, use the clear password command. You must have console access to the AIM IPS and administrative access to the router.

To recover the password for the AIM IPS, follow these steps:

Step 1 Log in to the router.

Step 2 Enter privileged EXEC mode on the router.

router> enable

Step 3 Confirm the module slot number in your router.

router# show run | include ids-sensor

interface IDS-Sensor0/0

router#

Step 4 Session in to the AIM IPS.

router# service-moduleids-sensorslot/port session

Example

router# service-moduleids-sensor 0/0 session

Step 5 Press Control-shift-6 followed by x to navigate to the router CLI.

Step 6 Reset the AIM IPS from the router console.

router# service-moduleids-sensor0/0 reset

Step 7 Press Enter to return to the router console.

Step 8 When prompted for boot options, enter *** quickly. You are now in the bootloader.

Step 9 Clear the password.

ServicesEngine boot-loader# clear password

The AIM IPS reboots. The password is reset to cisco. Log in to the CLI with username cisco and password cisco. You can then change the password.

Recovering the AIP SSM Password

You can reset the password to the default (cisco) for the AIP SSM using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.

Note To reset the password, you must have ASA 7.2.2 or later.

Use the hw-module moduleslot_numberpassword-reset command to reset the password to the default cisco. If the module in the specified slot has an IPS version that does not support password recovery, the following error message is displayed:

ERROR: the module in slot <n> does not support password recovery.

Resetting the Password Using the CLI

To reset the password on the AIP SSM, follow these steps:

Step 1 Log into the adaptive security appliance and enter the following command to verify the module slot number:

This product contains cryptographic features and is subject to United States and local
country laws governing import, export, transfer and use. Delivery of Cisco cryptographic
products does not imply third-party authority to import, export, distribute or use
encryption. Importers, exporters, distributors and users are responsible for compliance
with U.S. and local country laws. By using this product you agree to comply with
applicable laws and regulations. If you are unable to comply with U.S. and local laws,
return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to export@cisco.com.

***LICENSE NOTICE***

There is no license key installed on this IPS platform. The system will continue to
operate with the currently installed signature set. A valid license must be obtained in
order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a
new license or install a license.

aip_ssm#

Using the ASDM

To reset the password in the ASDM, follow these steps:

Step 1 From the ASDM menu bar, choose Tools > IPS Password Reset.

Note This option does not appear in the menu if there is no IPS present.

Step 2 In the IPS Password Reset confirmation dialog box, click OK to reset the password to the default (cisco). A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions.

Step 3 Click Close to close the dialog box. The sensor reboots.

Recovering the IDSM2 Password

To recover the password for the IDSM2, you must install a special password recovery image file. This installation only resets the password, all other configuration remains intact. The password recovery image is version-dependent and can be found on the Cisco Download Software site. For IPS 6.x, download WS-SVC-IDSM2-K9-a-6.0-password-recovery.bin.gz. For IPS 7.x, download WS-SVC-IDSM2-K9-a-7.0-password-recovery.bin.gz.

FTP is the only supported protocol for image installations, so make sure you put the password recovery image file on an FTP server that is accessible to the switch. You must have administrative access to the Cisco 6500 series switch to recover the password on the IDSM2.

During the password recovery image installation, the following message appears:

Upgrading will wipe out the contents on the hard disk.

Do you want to proceed installing it [y|n]:

This message is in error. Installing the password recovery image does not remove any configuration, it only resets the login account.

Once you have downloaded the password recovery image file, follow the instructions to install the system image file but substitute the password recovery image file for the system image file. The IDSM2 should reboot into the primary partition after installing the recovery image file. If it does not, enter the following command from the switch:

hw-module module module_number reset hdd:1

Note The password is reset to cisco. Log in to the CLI with username cisco and password cisco. You can then change the password.

Recovering the NME IPS Password

To recover the password for the NME IPS, use the clear password command. You must have console access to the NME IPS and administrative access to the router.

To recover the password for the NME IPS, follow these steps:

Step 1 Log in to the router.

Step 2 Enter privileged EXEC mode on the router.

router> enable

Step 3 Confirm the module slot number in your router.

router# show run | include ids-sensor

interface IDS-Sensor1/0

router#

Step 4 Session in to the NME IPS.

router# service-moduleids-sensorslot/port session

Example

router# service-moduleids-sensor 1/0 session

Step 5 Press Control-shift-6 followed by x to navigate to the router CLI.

Step 6 Reset the NME IPS from the router console.

router# service-moduleids-sensor1/0 reset

Step 7 Press Enter to return to the router console.

Step 8 When prompted for boot options, enter *** quickly.

You are now in the bootloader.

Step 9 Clear the password.

ServicesEngine boot-loader# clear password

The NME IPS reboots. The password is reset to cisco. Log in to the CLI with username cisco and password cisco. You can then change the password.

Disabling Password Recovery

Caution If you try to recover the password on a sensor on which password recovery is disabled, the process proceeds with no errors or warnings; however, the password is not reset. If you cannot log in to the sensor because you have forgotten the password, and password recovery is set to disabled, you must reimage your sensor.

Password recovery is enabled by default. You can disable password recovery through the CLI, IDM, or IME.

Disabling Password Recovery Using the CLI

To disable password recovery in the CLI, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Enter global configuration mode.

sensor# configure terminal

Step 3 Enter host mode.

sensor(config)# service host

Step 4 Disable password recovery.

sensor(config-hos)# password-recovery disallowed

Disabling Password Recovery Using IDM or IME

To disable password recovery in IDM or IME, follow these steps:

Step 1 Log in to IDM or IME using an account with administrator privileges.

Verifying the State of Password Recovery

Use the show settings | include password command to verify whether password recovery is enabled.

To verify whether password recovery is enabled, follow these steps:

Step 1 Log in to the CLI.

Step 2 Enter service host submode.

sensor# configure terminal

sensor (config)# service host

sensor (config-hos)#

Step 3 Verify the state of password recovery by using the include keyword to show settings in a filtered output.

sensor(config-hos)# show settings | include password

password-recovery: allowed <defaulted>

sensor(config-hos)#

Troubleshooting Password Recovery

When you troubleshoot password recovery, pay attention to the following:

•You cannot determine whether password recovery has been disabled in the sensor configuration from the ROMMON prompt, GRUB menu, switch CLI, or router CLI. If you attempt password recovery, it always appears to succeed. If it has been disabled, the password is not reset to cisco. The only option is to reimage the sensor.

•You can disable password recovery in the host configuration. For the platforms that use external mechanisms, such as the AIM IPS and the NME IPS bootloader, ROMMON, and the maintenance partition for the IDSM2, although you can run commands to clear the password, if password recovery is disabled in the IPS, the IPS detects that password recovery is not allowed and rejects the external request.

•To check the state of password recovery, use the show settings | include password command.

•When performing password recovery on the IDSM2, you see the following message: Upgrading will wipe out the contents on the storage media. You can ignore this message. Only the password is reset when you use the specified password recovery image.

Clearing the Sensor Databases

Caution We do not recommend that you use this command unless under the direction of TAC or in some testing conditions when you need to clear accumulated state information and start with a clean database.

Use the clear database [virtual-sensor] all | nodes | alerts | inspectors command in privileged EXEC mode to clear specific parts of the sensor database. The clear database command is useful for troubleshooting and testing.

Inspector lists represent the packet work and observations collected during the time the sensor is running.

To clear the sensor database, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Clear the entire sensor database,

sensor# clear database all

Warning: Executing this command will delete database on all virtual sensors

Continue? [yes]:

Step 3 Enter yes to clear all the databases on the sensor.

Step 4 Clear the packet nodes.

sensor# clear database nodes

Warning: Executing this command will delete database on all virtual sensors

Continue? [yes]:

Step 5 Enter yes to clear the packet nodes database.

Step 6 Clear the alerts database on a specific virtual sensor:

sensor# clear database vs0 alerts

Warning: Executing this command will delete database on all virtual sensors

Continue? [yes]:

Step 7 Enter yes to clear the alerts database.

Step 8 Clear inspector lists on the sensor.

sensor# clear database inspectors

Warning: Executing this command will delete database on all virtual sensors

Continue? [yes]:

Step 9 Enter yes to clear the inspectors database.

Displaying the Inspection Load of the Sensor

Use the show inspection-load command in privileged EXEC mode to display a timestamp and the current inspection load of the sensor. Use the history option to display a histogram of the inspection load over the past 60 minutes and over the past 72 hours..

Use this command to determine the load on the sensor instead of the CPU Usage information from the show statistics host command. The inspection load is a more accurate representation of the processing level of the sensor. The calculation of the inspection load has also been enhanced to provide a more accurate calculation of the sensor load at lower traffic levels.

Note The Processing Load category in the show statistics virtual-sensor output has been renamed to Inspection Load and shows the same value seen in the show inspection load command.

To display the inspection load of the sensor, follow these steps:

Step 1 Log in to the CLI.

Step 2 Show the current inspection load with a timestamp of the sensor.

Configuring Health Status Information

Use the health-monitor command in service submode to configure the health statistics for the sensor. Use the show health command to see the results of the health-monitor command. The health status categories are rated by red and green with red being critical.

•event-retrieval-policy {enable | disable} {true | false} red-threshold yellow-threshold seconds—Lets you set a threshold for when the last event was retrieved and have that apply to the overall sensor health rating. The health status is degraded to red or yellow when that threshold is met. The range for the threshold is 0 to 4294967295 seconds.

Note The event retrieval metric keeps track of when the last event was retrieved by an external monitoring application such as IME. Disable event retrieval policy if you are not doing external event monitoring.

•heartbeat-events {enable | disable} seconds—Lets you enable heartbeat events to be emitted at the specified interval in seconds and have that apply to the overall sensor health rating. The range for the interval is 15 to 86400 seconds.

•inspection-load-policy{enable | disable} {true | false} red-threshold yellow-threshold seconds—Lets you set the threshold for inspection load. The health status is degraded to red or yellow when that threshold is met. The range is 0 to 100.

•interface-down-policy{enable | disable} {true | false} status {green | yellow | red}—Lets you choose to know if one or more enabled interfaces are down and have that apply to the overall sensor health rating.

•license-expiration-policy{enable | disable} {true | false} red-threshold yellow-threshold—Lets you set a threshold for when the license expires and whether this metric is applied to the overall sensor health rating. The range for the threshold is 0 to 4294967295 seconds.

•memory-usage-policy {enable | disable} {true | false} red-threshold yellow-threshold—Lets you set a threshold percentage for memory usage and whether this metric is applied to the overall sensor health rating. The range is 0 to 100.

•missed-packet-policy {enable | disable} {true | false} red-threshold yellow-threshold—Lets you set a threshold percentage for missed packets and whether this metric is applied to the overall sensor health rating.

•persist-security-status—Lets you set the number of minutes that a lower security persists following the occurrence of the latest event to lower the security status.

•signature-update-policy{enable | disable} {true | false} red-threshold yellow-threshold—Lets you set a threshold for the number of days elapsed since the last signature update and whether this metric is applied to the overall sensor health rating. The range for the threshold is 0 to 4294967295 seconds

To configure the health statistics for the sensor, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 8 Enable the metrics for heartbeat events to be emitted at the specified interval of seconds.

sensor(config-hea)# heartbeat-events enable 20000

sensor(config-hea)#

Step 9 Set the inspection load threshold.

sensor(config-hea)# inspection-load-policy

sensor(config-hea-ins)# enable true

sensor(config-hea-ins)# red-threshold100

sensor(config-hea-ins)# yellow-threshold50

sensor(config-hea-ins)# exit

sensor(config-hea)#

Step 10 Enable the interface down policy.

sensor(config-hea)# interface-down-policy

sensor(config-hea-int)# enable true

sensor(config-hea-int)# status yellow

sensor(config-hea-int)# exit

sensor(config-hea)#

Step 11 Set the number of days until the license expires.

sensor(config-hea)# license-expiration-policy

sensor(config-hea-lic)# enable true

sensor(config-hea-lic)# red-threshold400000

sensor(config-hea-lic)# yellow-threshold200000

sensor(config-hea-lic)# exit

sensor(config-hea)#

Step 12 Set the threshold for memory usage.

sensor(config-hea)# memory-usage-policy

sensor(config-hea-mem)# enable true

sensor(config-hea-mem)# red-threshold100

sensor(config-hea-mem)# yellow-threshold50

sensor(config-hea-mem)# exit

sensor(config-hea)#

Step 13 Set the missed packet threshold.

sensor(config-hea)# missed-packet-policy

sensor(config-hea-mis)# enable true

sensor(config-hea-mis)# red-threshold50

sensor(config-hea-mis)# yellow-threshold20

sensor(config-hea-mis)# exit

sensor(config-hea)#

Step 14 Set the number of minutes that a lower security persists following the occurrence of the latest event to lower the security status.

sensor(config-hea)# persist-security-status 10

sensor(config-hea)#

Step 15 Set the number of days since the last signature update.

sensor(config-hea)# signature-update-policy

sensor(config-hea-sig)# enable true

sensor(config-hea-sig)# red-threshold30000

sensor(config-hea-sig)# yellow-threshold10000

sensor(config-hea-sig)# exit

sensor(config-hea)#

Step 16 Verify your settings.

sensor(config-hea)# show settings

enable-monitoring: true default: true

persist-security-status: 10 minutes default: 5

heartbeat-events

-----------------------------------------------

enable: 20000 seconds default: 300

-----------------------------------------------

application-failure-policy

-----------------------------------------------

enable: true default: true

status: red default: red

-----------------------------------------------

bypass-policy

-----------------------------------------------

enable: true default: true

status: yellow default: red

-----------------------------------------------

interface-down-policy

-----------------------------------------------

enable: true default: true

status: yellow default: red

-----------------------------------------------

inspection-load-policy

-----------------------------------------------

enable: true default: true

yellow-threshold: 50 percent default: 80

red-threshold: 100 percent default: 91

-----------------------------------------------

missed-packet-policy

-----------------------------------------------

enable: true default: true

yellow-threshold: 20 percent default: 1

red-threshold: 50 percent default: 6

-----------------------------------------------

memory-usage-policy

-----------------------------------------------

enable: true default: false

yellow-threshold: 50 percent default: 80

red-threshold: 100 percent default: 91

-----------------------------------------------

signature-update-policy

-----------------------------------------------

enable: true default: true

yellow-threshold: 10000 days default: 30

red-threshold: 30000 days default: 60

-----------------------------------------------

license-expiration-policy

-----------------------------------------------

enable: true default: true

yellow-threshold: 200000 days default: 30

red-threshold: 400000 days default: 0

-----------------------------------------------

event-retrieval-policy

-----------------------------------------------

enable: true <defaulted>

yellow-threshold: 100000 seconds default: 300

red-threshold: 100 seconds default: 600

-----------------------------------------------

sensor(config-hea)#

Step 17 Exit health monitoring submode.

sensor(config-hea)# exit

Apply Changes:?[yes]:

Step 18 Press Enter to apply the changes or enter no to discard them.

Showing Sensor Overall Health Status

Use the show health command in privileged EXEC mode to display the overall health status information of the sensor. The health status categories are rated by red and green with red being critical.

Caution When the sensor is first starting, it is normal for certain health metric statuses to be red until the sensor is fully up and running.

To display the overall health status of the sensor, follow these steps:

Step 1 Log in to the CLI.

Step 2 Show the health and security status of the sensor.

sensor# show health

Overall Health Status Red

Health Status for Failed Applications Green

Health Status for Signature Updates Green

Health Status for License Key Expiration Red

Health Status for Running in Bypass Mode Green

Health Status for Interfaces Being Down Red

Health Status for the Inspection Load Green

Health Status for the Time Since Last Event Retrieval Green

Health Status for the Number of Missed Packets Green

Health Status for the Memory Usage Not Enabled

Health Status for Global Correlation Red

Health Status for Network Participation Not Enabled

Security Status for Virtual Sensor vs0 Green

sensor#

Creating a Banner Login

Use the banner login command to create a banner login that will be displayed before the user and password login prompts. The maximum message length is 2500 characters. Use the no banner login command to remove the banner.

To create a banner login, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Enter global configuration mode.

sensor# configure terminal

Step 3 Create the banner login.

sensor(config)# banner login

Banner[]:

Step 4 Enter your message.

Banner[]: This message will be displayed on banner login. ^M Thank you

sensor(config)#

Note To use a ? or a carriage return in the message, press Ctrl-V-? or Ctrl-V-Enter. They are represented by ^M.

Example

This message will be displayed on login.

Thank you

login: cisco

Password:****

Step 5 To remove the banner login.

sensor(config)# no banner login

The banner no longer appears at login.

Terminating CLI Sessions

Caution You can only clear CLI login sessions with the
clear line command. You cannot clear service logins with this command.

Use the clear linecli_id [message] command to terminate another CLI session. If you use the message keyword, you can send a message along with the termination request to the receiving user. The maximum message length is 2500 characters.

The following options apply:

•cli_id—CLI ID number associated with the login session. Use the show users command to find the CLI ID number.

•message—Message to send to the receiving user.

If an administrator tries to log in when the maximum sessions have been reached, the following message appears:

Error: The maximum allowed CLI sessions are currently open, would you like to terminate
one of the open sessions? [no]

If an operator or viewer tries to log in when the maximum sessions are open, the following message appears:

Error: The maximum allowed CLI sessions are currently open, please try again later.

To terminate a CLI session, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Note Operator and viewer can only clear lines with the same username as the current login.

Step 2 Find the CLI ID number associated with the login session.

sensor# show users

CLI ID User Privilege

* 13533 jtaylor administrator

15689 jsmith operator

20098 viewer viewer

Step 3 Terminate the CLI session of jsmith.

sensor# clear linecli_idmessage

Message[]:

Example

sensor# clear line 15689 message

Message{}: Sorry! I need to terminate your session.

sensor#

The user jsmith receives the following message from the administrator jtaylor.

sensor#

***

***

*** Termination request from jtaylor

***

Sorry! I need to terminate your session.

Modifying Terminal Properties

Note You are not required to specify the screen length for some types of terminal sessions because the specified screen length can be learned by some remote hosts.

Use the terminal [length] screen _length command to modify terminal properties for a login session. The screen_ length option lets you set the number of lines that appear on the screen before the --more-- prompt is displayed. A value of zero results in no pause in the output. The default value is 24 lines.

To modify the terminal properties, follow these steps:

Step 1 Log in to the CLI.

Step 2 To have no pause between multi-screen outputs, use 0 for the screen length value.

sensor# terminal length 0

Note The screen length values are not saved between login sessions.

Step 3 To have the CLI pause and display the --more-- prompt every 10 lines, use 10 for the screen length value.

sensor# terminal length 10

Configuring Events

This section describes how to display and clear events from Event Store, and contains the following topics:

Events are displayed beginning at the start time. If you do not specify a start time, events are displayed beginning at the current time. If you do not specify an event type, all events are displayed.

Note Events are displayed as a live feed. To cancel the request, press Ctrl-C.

The following options apply:

•alert—Displays alerts. Provides notification of some suspicious activity that may indicate an attack is in process or has been attempted. Alert events are generated by Analysis Engine whenever a signature is triggered by network activity.

If no level is selected (informational, low, medium, or high), all alert events are displayed.

•include-traits—Displays alerts that have the specified traits.

•exclude-traits—Does not display alerts that have the specified traits.

•traits—Trait bit position in decimal (0 to 15).

•min-threat-rating—Displays events with a threat rating above or equal to this value. The default is 0. The valid range is 0 to 100.

•max-threat-rating—Displays events with a threat rating below or equal to this value. The default is 100. The valid range is 0 to 100.

Configuring the System Clock

Displaying the System Clock

Use the show clock [detail] command to display the system clock. You can use the detail option to indicate the clock source (NTP or system) and the current summertime setting (if any). The system clock keeps an authoritative flag that indicates whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source, such as NTP, the flag is set.

This indicates that the sensor is getting its time from NTP and that is configured and synchronized.

sensor# show clock detail

*20:09:43 UTC Thu Apr 03 2008

No time source

Summer time starts 03:00:00 UTC Sun Mar 09 2008

Summer time stops 01:00:00 UTC Sun Nov 02 2008

This indicates that no time source is configured.

Manually Setting the System Clock

Note You do not need to set the system clock if your sensor is synchronized by a valid outside timing mechanism such as an NTP clock source.

Use the clock sethh:mm [:ss] month day year command to manually set the clock on the appliance. Use this command if no other time sources are available.

The clock set command does not apply to the following platforms:

•AIM IPS

•AIP SSM

•IDSM2

•NME IPS

To manually set the clock on the appliance, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Set the clock manually.

sensor# clock set 13:21 Mar 29 2008

Note The time format is 24-hour time.

Clearing the Denied Attackers List

Use the show statistics denied-attackers command to display the list of denied attackers. Use the clear denied-attackers [virtual_sensor] [ip-addressip_address] command to delete the denied attackers list and clear the virtual sensor statistics.

If your sensor is configured to operate in inline mode, the traffic is passing through the sensor. You can configure signatures to deny packets, connections, and attackers while in inline mode, which means that single packets, connections, and specific attackers are denied, that is, not transmitted, when the sensor encounters them.

When the signature fires, the attacker is denied and placed in a list. As part of sensor administration, you may want to delete the list or clear the statistics in the list.

Warning: Executing this command will delete ip address 10.1.1.1 from the list of attackers
being denied by virtual sensor vs0.

Continue with clear? [yes]:

Step 8 Enter yes to clear the list.

Step 9 Verify that you have cleared the list. You can use the show statistics denied-attackers or show statistics virtual-sensor command.

sensor# show statistics denied-attackers

Denied Attackers and hit count for each.

Denied Attackers and hit count for each.

Statistics for Virtual Sensor vs0

Denied Attackers with percent denied and hit count for each.

Denied Attackers with percent denied and hit count for each.

Statistics for Virtual Sensor vs1

Denied Attackers with percent denied and hit count for each.

Denied Attackers with percent denied and hit count for each.

sensor#

sensor# show statistics virtual-sensor

Virtual Sensor Statistics

Statistics for Virtual Sensor vs0

Name of current Signature-Definition instance = sig0

Name of current Event-Action-Rules instance = rules0

List of interfaces monitored by this virtual sensor = mypair

Denied Address Information

Number of Active Denied Attackers = 0

Number of Denied Attackers Inserted = 2

Number of Denied Attackers Total Hits = 287

Number of times max-denied-attackers limited creation of new entry = 0

Number of exec Clear commands during uptime = 1

Denied Attackers and hit count for each.

Step 10 Clear only the statistics.

sensor# show statistics virtual-sensor clear

Step 11 Verify that you have cleared the statistics.

sensor# show statistics virtual-sensor

Virtual Sensor Statistics

Statistics for Virtual Sensor vs0

Name of current Signature-Definition instance = sig0

Name of current Event-Action-Rules instance = rules0

List of interfaces monitored by this virtual sensor = mypair

Denied Address Information

Number of Active Denied Attackers = 2

Number of Denied Attackers Inserted = 0

Number of Denied Attackers Total Hits = 0

Number of times max-denied-attackers limited creation of new entry = 0

Number of exec Clear commands during uptime = 1

Denied Attackers and hit count for each.

10.20.2.5 = 0

10.20.5.2 = 0

The statistics have all been cleared except for the Number of Active Denied Attackers and Number of exec Clear commands during uptime categories. It is important to know if the list has been cleared.

Displaying Policy Lists

Use the list {anomaly-detection-configurations | event-action-rules-configurations | signature-definition-configurations} in EXEC mode to display the list of policies for these components. The file size is in bytes. A virtual sensor with N/A indicates that the policy is not assigned to a virtual sensor.

Use the show statistics {anomaly-detection | denied-attackers | os-identification | virtual-sensor} [name | clear] command to display statistics for these components for all virtual sensors. If you provide the virtual sensor name, the statistics for that virtual sensor only are displayed.

Note The clear option is not available for the analysis engine, anomaly detection, host, network access, or OS identification applications.

To display statistics for the sensor, follow these steps:

Step 1 Log in to the CLI.

Step 2 Display the statistics for Analysis Engine.

sensor# show statistics analysis-engine

Analysis Engine Statistics

Number of seconds since service started = 1421127

Measure of the level of current resource utilization = 0

Measure of the level of maximum resource utilization = 0

The rate of TCP connections tracked per second = 0

The rate of packets per second = 0

The rate of bytes per second = 0

Receiver Statistics

Total number of packets processed since reset = 0

Total number of IP packets processed since reset = 0

Transmitter Statistics

Total number of packets transmitted = 0

Total number of packets denied = 0

Total number of packets reset = 0

Fragment Reassembly Unit Statistics

Number of fragments currently in FRU = 0

Number of datagrams currently in FRU = 0

TCP Stream Reassembly Unit Statistics

TCP streams currently in the embryonic state = 0

TCP streams currently in the established state = 0

TCP streams currently in the closing state = 0

TCP streams currently in the system = 0

TCP Packets currently queued for reassembly = 0

The Signature Database Statistics.

Total nodes active = 0

TCP nodes keyed on both IP addresses and both ports = 0

UDP nodes keyed on both IP addresses and both ports = 0

IP nodes keyed on both IP addresses = 0

Statistics for Signature Events

Number of SigEvents since reset = 0

Statistics for Actions executed on a SigEvent

Number of Alerts written to the IdsEventStore = 0

sensor#

Step 3 Display the statistics for anomaly detection.

sensor# show statistics anomaly-detection

Statistics for Virtual Sensor vs0

No attack

Detection - ON

Learning - ON

Next KB rotation at 10:00:01 UTC Sat Jan 18 2008

Internal Zone

TCP Protocol

UDP Protocol

Other Protocol

External Zone

TCP Protocol

UDP Protocol

Other Protocol

Illegal Zone

TCP Protocol

UDP Protocol

Other Protocol

Statistics for Virtual Sensor vs1

No attack

Detection - ON

Learning - ON

Next KB rotation at 10:00:00 UTC Sat Jan 18 2008

Internal Zone

TCP Protocol

UDP Protocol

Other Protocol

External Zone

TCP Protocol

UDP Protocol

Other Protocol

Illegal Zone

TCP Protocol

UDP Protocol

Other Protocol

sensor-4240#

Step 4 Display the statistics for authentication.

sensor# show statistics authentication

General

totalAuthenticationAttempts = 128

failedAuthenticationAttempts = 0

sensor#

Step 5 Display the statistics for the denied attackers in the system.

sensor# show statistics denied-attackers

Denied Attackers and hit count for each.

Denied Attackers and hit count for each.

Statistics for Virtual Sensor vs0

Denied Attackers with percent denied and hit count for each.

Denied Attackers with percent denied and hit count for each.

Statistics for Virtual Sensor vs1

Denied Attackers with percent denied and hit count for each.

Denied Attackers with percent denied and hit count for each.

sensor#

Step 6 Display the statistics for Event Server.

sensor# show statistics event-server

General

openSubscriptions = 0

blockedSubscriptions = 0

Subscriptions

sensor#

Step 7 Display the statistics for Event Store.

sensor# show statistics event-store

Event store statistics

General information about the event store

The current number of open subscriptions = 2

The number of events lost by subscriptions and queries = 0

The number of queries issued = 0

The number of times the event store circular buffer has wrapped = 0

Number of events of each type currently stored

Debug events = 0

Status events = 9904

Log transaction events = 0

Shun request events = 61

Error events, warning = 67

Error events, error = 83

Error events, fatal = 0

Alert events, informational = 60

Alert events, low = 1

Alert events, medium = 60

Alert events, high = 0

sensor#

Step 8 Display the statistics for global correlation.

sensor# show statistics global-correlation

Network Participation:

Counters:

Total Connection Attempts = 0

Total Connection Failures = 0

Connection Failures Since Last Success = 0

Connection History:

Updates:

Status Of Last Update Attempt = Disabled

Time Since Last Successful Update = never

Counters:

Update Failures Since Last Success = 0

Total Update Attempts = 0

Total Update Failures = 0

Update Interval In Seconds = 300

Update Server = update-manifests.ironport.com

Update Server Address = Unknown

Current Versions:

Warnings:

Unlicensed = Global correlation inspection and reputation filtering have been

disabled because the sensor is unlicensed.

Action Required = Obtain a new license from http://www.cisco.com/go/license.

Displaying Tech Support Information

Use the show tech-support [page] [destination-urldestination_url] command to display system information on the screen or have it sent to a specific URL. You can use the information as a troubleshooting tool with TAC.

The following parameters are optional:

•page—Displays the output, one page of information at a time.

Press Enter to display the next line of output or use the spacebar to display the next page of information.

•destination-url—Indicates the information should be formatted as HTML and sent to the destination that follows this command. If you use this keyword, the output is not displayed on the screen.

•destination_url—Indicates the information should be formatted as HTML. The URL specifies where the information should be sent. If you do not use this keyword, the information is displayed on the screen.

To display tech support information, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 View the output on the screen.

sensor# show tech-support page

The system information appears on the screen, one page at a time. Press the spacebar to view the next page or press Ctrl-C to return to the prompt.

•ftp:—Destination URL for FTP network server. The syntax for this prefix is ftp:[[//username@location]/relativeDirectory]/filename or ftp:[[//username@location]//absoluteDirectory]/filename.

•scp:—Destination URL for the SCP network server. The syntax for this prefix is scp:[[//username@]location]/relativeDirectory]/filename or scp:[[//username@]location]//absoluteDirectory]/filename.

For example, to send the tech support output to the file /absolute/reports/sensor1Report.html.

sensor# show tech support dest
ftp://csidsuser@10.2.1.2//absolute/reports/sensor1Report.html

The password: prompt appears.

b. Enter the password for this user account. The Generating report: message is displayed.

Displaying Version Information

Use the show version command to display version information for all installed operating system packages, signature packages, and IPS processes running on the system. To view the configuration for the entire system, use the more current-config command.

To display the version and configuration, follow these steps:

Step 1 Log in to the CLI.

Step 2 View version information.

sensor# show version

Application Partition:

Cisco Intrusion Prevention System, Version 7.0(4)E4

Host:

Realm Keys key1.0

Signature Definition:

Signature Update S383.0 2009-02-20

Virus Update V1.4 2007-03-02

OS Version: 2.4.30-IDS-smp-bigphys

Platform: IPS 4240-K9

Serial Number: JMX1013K020

Licensed, expires: <07-Aug-2013 UTC >

Sensor up-time is 23:01.

Using 1421856768 out of 1984552960 bytes of available memory (71% usage)

system is using 16.5M out of 38.5M bytes of available disk space (43% usage)

application-data is using 43.5M out of 166.8M bytes of available disk space (27%

usage)

boot is using 40.5M out of 68.6M bytes of available disk space (62% usage)

application-log is using 123.5M out of 513.0M bytes of available disk space (24%

The count is the number of echo requests to send. If you do not specify a number, 4 requests are sent. The range is 1 to 10,000.

Example of a successful ping

sensor# ping 10.89.146.110 6

PING 10.89.146.110 (10.89.146.110): 56 data bytes

64 bytes from 10.89.146.110: icmp_seq=0 ttl=61 time=0.3 ms

64 bytes from 10.89.146.110: icmp_seq=1 ttl=61 time=0.1 ms

64 bytes from 10.89.146.110: icmp_seq=2 ttl=61 time=0.1 ms

64 bytes from 10.89.146.110: icmp_seq=3 ttl=61 time=0.2 ms

64 bytes from 10.89.146.110: icmp_seq=4 ttl=61 time=0.2 ms

64 bytes from 10.89.146.110: icmp_seq=5 ttl=61 time=0.2 ms

--- 10.89.146.110 ping statistics ---

6 packets transmitted, 6 packets received, 0% packet loss

round-trip min/avg/max = 0.1/0.1/0.3 ms

Example of an unsuccessful ping

sensor# ping 172.21.172.1 3

PING 172.21.172.1 (172.21.172.1): 56 data bytes

--- 172.21.172.1 ping statistics ---

3 packets transmitted, 0 packets received, 100% packet loss

sensor#

Resetting the Appliance

Use the reset [powerdown] command to shut down the applications running on the appliance and to reboot the appliance. You can include the powerdown option to power off the appliance, if possible, or to have the appliance left in a state where the power can be turned off.

Shutdown (stopping the applications) begins immediately after you execute the command. Shutdown can take a while, and you can still access CLI commands while it is taking place, but the session is terminated without warning.

To reset the appliance, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 To stop all applications and reboot the appliance, follow these Steps 2 and 3. Otherwise, to power down the appliance, follow to Steps 4 and 5.

sensor# reset

Warning: Executing this command will stop all applications and reboot the node.

Continue with reset? []:

Step 3 Enter yes to continue the reset.

sensor# yes

Request Succeeded.

sensor#

Step 4 Stop all applications and power down the appliance.

sensor# reset powerdown

Warning: Executing this command will stop all applications and power off the node if
possible. If the node can not be powered off it will be left in a state that is safe to
manually power down.

Displaying Command History

Use the show history command to obtain a list of the commands you have entered in the current menu. The maximum number of commands in the list is 50.

To obtain a list of the commands you have used recently, follow these steps:

Step 1 Log in to the CLI.

Step 2 Show the history of the commands you have used in EXEC mode.

sensor# show history

clear line

configure terminal

show history

Step 3 Show the history of the commands you have used in network access mode.

sensor# configure terminal

sensor (config)# service network-access

sensor (config-net)# show history

show settings

show settings terse

show settings | include profile-name|ip-address

exit

show history

sensor (config-net)#

Displaying Hardware Inventory

Note The show inventory command does not apply to IPS modules, such as the AIM IPS, AIP SSM, IDSM2, or NME IPS

Use the show inventory command to display PEP information. This command displays the UDI information that consists of the PID, the VID, and the SN of your sensor. PEP information provides an easy way to obtain the hardware version and serial number through the CLI.

To display PEP information, follow these steps:

Step 1 Log in to the CLI.

Step 2 Display the PEP information.

sensor# show inventory

Name: "Chassis", DESCR: "IPS 4255 Intrusion Prevention Sensor"

PID: IPS 4255-K9, VID: V01 , SN: JAB0815R017

Name: "Power Supply", DESCR: ""

PID: ASA-180W-PWR-AC, VID: V01 , SN: 123456789AB

sensor#

sensor# show inventory

Name: "Module", DESCR: "ASA 5500 Series Security Services Module-20"

PID: ASA-SSM-20, VID: V01 , SN: JAB0815R036

sensor#

sensor-4240# show inventory

Name: "Chassis", DESCR: "IPS 4240 Appliance Sensor"

PID: IPS 4240-K9, VID: V01 , SN: P3000000653

sensor-4240#

You can use this information when dealing with the TAC.

Tracing the Route of an IP Packet

Caution No command interrupt is available for this command. It must run to completion

Use the trace ip_addresscountcommand to display the route an IP packet takes to a destination. The ip_address option is the address of the system to trace the route to. The count option lets you define how many hops you want to take. The default is 4. The valid values are 1 to 256.

To trace the route of an IP packet, follow these steps:

Step 1 Log in to the CLI.

Step 2 Display the route of IP packet you are interested in.

sensor# trace 10.1.1.1

traceroute to 10.1.1.1 (10.1.1.1), 4 hops max, 40 byte packets

1 10.89.130.1 (10.89.130.1) 0.267 ms 0.262 ms 0.236 ms

2 10.89.128.17 (10.89.128.17) 0.24 ms * 0.399 ms

3 * 10.89.128.17 (10.89.128.17) 0.424 ms *

4 10.89.128.17 (10.89.128.17) 0.408 ms * 0.406 ms

sensor#

Step 3 Configure the route to take more hops than the default of 4, use the count option.

sensor# trace 10.1.1.1 8

traceroute to 10.1.1.1 (10.1.1.1), 8 hops max, 40 byte packets

1 10.89.130.1 (10.89.130.1) 0.35 ms 0.261 ms 0.238 ms

2 10.89.128.17 (10.89.128.17) 0.36 ms * 0.344 ms

3 * 10.89.128.17 (10.89.128.17) 0.465 ms *

4 10.89.128.17 (10.89.128.17) 0.319 ms * 0.442 ms

5 * 10.89.128.17 (10.89.128.17) 0.304 ms *

6 10.89.128.17 (10.89.128.17) 0.527 ms * 0.402 ms

7 * 10.89.128.17 (10.89.128.17) 0.39 ms *

8 10.89.128.17 (10.89.128.17) 0.37 ms * 0.486 ms

sensor#

Displaying Submode Settings

Use the show settings [terse] command in any submode to view the contents of the current configuration.

To display the current configuration settings for a submode, follow these steps:

Step 1 Log in to the CLI.

Step 2 Show the current configuration for ARC submode.

sensor# configure terminal

sensor (config)# service network-access

sensor (config-net)# show settings

general

-----------------------------------------------

log-all-block-events-and-errors: true <defaulted>

enable-nvram-write: false <defaulted>

enable-acl-logging: false <defaulted>

allow-sensor-block: false <defaulted>

block-enable: true <defaulted>

block-max-entries: 250 <defaulted>

max-interfaces: 250 default: 250

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

-----------------------------------------------

never-block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

-----------------------------------------------

never-block-networks (min: 0, max: 250, current: 0)

-----------------------------------------------

-----------------------------------------------

block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

-----------------------------------------------

block-networks (min: 0, max: 250, current: 0)

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

user-profiles (min: 0, max: 250, current: 11)

-----------------------------------------------

profile-name: 2admin

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: pix default:

-----------------------------------------------

profile-name: r7200

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: netrangr default:

-----------------------------------------------

profile-name: insidePix

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: <defaulted>

-----------------------------------------------

profile-name: qatest

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: <defaulted>

-----------------------------------------------

profile-name: fwsm

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: pix default:

-----------------------------------------------

profile-name: outsidePix

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: pix default:

-----------------------------------------------

profile-name: cat

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: <defaulted>

-----------------------------------------------

profile-name: rcat

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: cisco default:

-----------------------------------------------

profile-name: nopass

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: <defaulted>

-----------------------------------------------

profile-name: test

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: pix default:

-----------------------------------------------

profile-name: sshswitch

-----------------------------------------------

enable-password: <hidden>

password: <hidden>

username: cisco default:

-----------------------------------------------

-----------------------------------------------

cat6k-devices (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 10.89.147.61

-----------------------------------------------

communication: telnet default: ssh-3des

nat-address: 0.0.0.0 <defaulted>

profile-name: cat

block-vlans (min: 0, max: 100, current: 1)

-----------------------------------------------

vlan: 1

-----------------------------------------------

pre-vacl-name: <defaulted>

post-vacl-name: <defaulted>

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

router-devices (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 10.89.147.54

-----------------------------------------------

communication: telnet default: ssh-3des

nat-address: 0.0.0.0 <defaulted>

profile-name: r7200

block-interfaces (min: 0, max: 100, current: 1)

-----------------------------------------------

interface-name: fa0/0

direction: in

-----------------------------------------------

pre-acl-name: <defaulted>

post-acl-name: <defaulted>

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

firewall-devices (min: 0, max: 250, current: 2)

-----------------------------------------------

ip-address: 10.89.147.10

-----------------------------------------------

communication: telnet default: ssh-3des

nat-address: 0.0.0.0 <defaulted>

profile-name: insidePix

-----------------------------------------------

ip-address: 10.89.147.82

-----------------------------------------------

communication: ssh-3des <defaulted>

nat-address: 0.0.0.0 <defaulted>

profile-name: f1

-----------------------------------------------

-----------------------------------------------

sensor (config-net)#

Step 3 Show the ARC settings in terse mode.

sensor(config-net)# show settings terse

general

-----------------------------------------------

log-all-block-events-and-errors: true <defaulted>

enable-nvram-write: false <defaulted>

enable-acl-logging: false <defaulted>

allow-sensor-block: false <defaulted>

block-enable: true <defaulted>

block-max-entries: 250 <defaulted>

max-interfaces: 250 default: 250

master-blocking-sensors (min: 0, max: 100, current: 0)

-----------------------------------------------

-----------------------------------------------

never-block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

-----------------------------------------------

never-block-networks (min: 0, max: 250, current: 0)

-----------------------------------------------

-----------------------------------------------

block-hosts (min: 0, max: 250, current: 0)

-----------------------------------------------

-----------------------------------------------

block-networks (min: 0, max: 250, current: 0)

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

user-profiles (min: 0, max: 250, current: 11)

-----------------------------------------------

profile-name: 2admin

profile-name: r7200

profile-name: insidePix

profile-name: qatest

profile-name: fwsm

profile-name: outsidePix

profile-name: cat

profile-name: rcat

profile-name: nopass

profile-name: test

profile-name: sshswitch

-----------------------------------------------

cat6k-devices (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 10.89.147.61

-----------------------------------------------

router-devices (min: 0, max: 250, current: 1)

-----------------------------------------------

ip-address: 10.89.147.54

-----------------------------------------------

firewall-devices (min: 0, max: 250, current: 2)

-----------------------------------------------

ip-address: 10.89.147.10

ip-address: 10.89.147.82

-----------------------------------------------

sensor(config-net)#

Step 4 You can use the include keyword to show settings in a filtered output, for example, to show only profile names and IP addresses in the ARC configuration.